RSA 2014: Is Your Security Policy Out of Date?

Experts recommend building some flexibility into your security policy, and keeping it updated.

Network administrators and government IT professionals may have a tough time keeping up with rapid changes in digital technology and cybercrime trends. They could spend so much time watching their networks that they neglect to update and re-examine security policies.

Security experts at the 2014 RSA Conference offered tips on what to look for when it’s time to refresh internal cybersecurity policy.

The first and most obvious thing to consider is how long it’s been since the current policy was created. Older documents probably don’t factor in recent digital consumption trends.

“Certain questions you need to ask are: Does it address mobile? Does it address cloud? And the current technology people are using?” said Dan Lohrmann, Michigan’s chief security officer.

Employees themselves are another matter. Paul Kocher, president and chief scientist for Cryptography Research, a division of Rambus, recommends getting sneaky and performing “tests” around the office to see whether people follow your existing program.

“There’s some fairly straightforward things to do like leaving some thumb drives around and seeing if they get plugged into your machines, or sending phishing emails to your own employees and seeing how many click on those links,” he said. “You might not want to know the answers to those questions because the likelihood is that you’re not going to have 100 percent compliance and an adversary only needs to have one mistake.”

But network administrators can also gauge their own cyberfitness by evaluating whether they would have been able to handle a breach that impacted another organization.

“Looking at issues like, whether you would have been able to deal with attacks that have compromised other systems, and looking for new tools that will assess cybersecurity in ways that are different from how you’ve been looking at it in the past,” Kocher recommended.

Incorporating flexibility into a policy can better prepare the network than perhaps any other decision that can be made, say some experts. An adaptable enterprise is one that’s better armed for survival, according to Jamie Brown, CA Technologies’ director of global government relations.

“I think it’s very important to build that flexibility and ability to innovate and evolve into the process,” he said. “If you come up with a static set of requirements, a static set of standards, such as a checklist, I think you’re going to find, in this day and age, you will be quickly obsolete.”

This is the third video in a series of five. Visit Govtech.com tomorrow for more highlights from RSA 2014.

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.